Can't pinpoint exact problem, but I know it's there

[imroot]

Hello,

Many of my devices/accounts were compromised and I need help regaining control starting with my cell phone, but I need help. I've done hard factory resets like 3 times on my device but still feel like there are weird things happening with my phone, but I can't pinpoint where the problem lies.

I am aware that if there is some backdoor issue rooted on one or more of the installation files that this might be hard to detect and delete, and my options may be limited (last resort - getting a new phone).

I've reset all email accounts and their passwords, and don't log in on my phone to any known email, as I use a disposable one newly created (after resetting phone). I was using Kaspersky security but it detected nothing, and will be downloading malwarebytes to conduct further scans. I've compiled a list of system file folders and questionable files below, along with "Supported Web Addresses" that are saved for certain apps to open instead of browser app. I'm sure most are ok, but a few seem odd.

I appreciate any and all help in this matter, and will be available to perform actions suggested upon replies.


Data Folders and some files contained in a few of these

• com.android.chrome
• com.android.systemui
  • backupwallpapers
    • backup_home.xml
    • backup_lock.xml
• com.android.vending
• com.facebook.appmanager
• com.google.android.apps.docs
• com.google.android.apps.maps
• com.google.android.gm
• com.google.android.gms
• com.google.android.googlequicksearchbox
• com.google.android.music
  
• com.google.android.videos
• com.google.android.youtube
• com.microsoft.office.officehubhl
  • cache
    • ts configuration jwt file
• com.microsoft.skydrive
  • current log txt
  • ts configuration jwt file
• com.samsung.android.app.smartcapture
• com.samsung.android.app.soundpicker
• com.samsung.android.app.spage
• com.samsung.android.aremojieditor
• com.samsung.android.calendar
• com.samsung.android.email.provider
• com.samsung.android.game.gamehome
• com.samsung.android.messaging
• com.samsung.android.mobileservice
• com.samsung.android.rubin.app
• com.samsung.android.samsungpass
• com.sec.android.gallery3d
• com.sec.imsservice
• flipboard.boxer.app

Only provided a few files located in these folders, but will provide more if anything looks suspisious

Supported Web Addresses for apps with their installed versions. Please forgive my ignorance if these are standard, and no issues, but I just want to be certain:

Drive 2.20.461.08.45

• * (please explain why just an asterisk)
  
• icing.drive.google.com

Gmail 2019.11.21.283644823.release

• gmail.app.goo.gl
  
• enterprise.google.com

Google Play Movies & TV 4.23.23.44

• *.youtube.com

Google Play Music 8.28.8916-1.V

• media (that's all it says for this one)

Google Play Services 20.45.16 (120408-344294571)

• fir-auth-gms.firebaseapp.com
• gds.google.com
• business.google.com
• enterprise.google.com
• *.app.goo.gl
• pay.google.com
• near.by

Google Play Store 22.4.25-21 [0] [PR] 337959405

Link Sharing 11.5.00.31

• s.amsu.ng
• linksharing.samsungcloud.com
• contentsAppLink

Maps 10.36.5

• ditu.google.com
• maps.google.cat

Office Mobile 16.0.11126.20206 & OneDrive 6.5.1

• *.sharepoint-df.com
• 1drv.ms
• *.sharepoint.com

Samsung Pass 2.5.00.40

• mdlappstgausenivlk.azurewebsites.net

Please let me know if there's anything else I can provide to dig deeper into this issue.

Thanks again

 

[ocnbrze]

ok so everything you listed don't look like anything suspicious. what model s10e do you have? if it is a snapdragon phone then you most likely have a locked bootloader. there is no current way to unlock it. (i did find a thread in xda that a members says he was able to unlock the bootloader, but i have my doubts) so the chance that your phone is rooted is not currently possible.

i would look into flashing a firmware update, which is completely different then a factory reset. you can get your firmware from https://www.sammobile.com/firmwares/ just make sure to use the correct firmware for your phone. they are very device specific and flashing the wrong one could damage your phone.

also i would setup 2 step verification to all of your accounts where possible. the main one being your google account. do this before flashing the firmware.

here is the thread if you want to follow it:
https://forum.xda-developers.com/t/recovery-unofficial-twrp-for-galaxy-s10e-snapdragon.4190173/
but again i have my doubts mainly because he has not posted how he unlocked the bootloader....only saying that the forum site, xda, is preventing him from doing so......i find this really odd.

 

[imroot]

thank you for the reply

Model - G970U1

Before I go into flashing firmware, maybe someone could offer any other help in what to look for in malicious/hacked files, folders, or apps?

I'm using Netguard and when in lockdown traffic mode with the option selected to "Manage System Apps" I find some apps that appear to have mixed results when searching their legitimacy online. One example being SVC Agent - com.samsung.android.svcagent

Still learning how to read the firewall logs but the Whois coming back on a few of these that were denied raise red flags for me, but I'm sure there's a perfectly good reason.

 

[ocnbrze]

thank you for the reply

Model - G970U1

Before I go into flashing firmware, maybe someone could offer any other help in what to look for in malicious/hacked files, folders, or apps?

I'm using Netguard and when in lockdown traffic mode with the option selected to "Manage System Apps" I find some apps that appear to have mixed results when searching their legitimacy online. One example being SVC Agent - com.samsung.android.svcagent

Still learning how to read the firewall logs but the Whois coming back on a few of these that were denied raise red flags for me, but I'm sure there's a perfectly good reason.

ok so you have a snapdragon processor which means it can't be rooted at this point....well if anything it is not easy to gain root as you will need to unlock the bootloader first.

so anything malicious that would be on your phone would not lie in the system apps........so by flashing a firmware update everything will get wiped......so you should be good to go after that.

and you will just drive yourself nuts looking for something in the system files that might seem suspicious. a lot of them will have names that will seem odd and have suspicious names when in fact they are just system files.

 

[imroot]

Much of what has happened to me over the last 3 months is very difficult to talk about, and I'm not going into detail here on a public forum. However, I will say that it all started when I noticed something suspicious on my laptop, and then discovered a nasty Trojan. From there I learned that my other PCs were infected as well.

Then my phone was easily hacked, as my pictures and other files began to change in size, and also their appearance would change ever so slightly to hide disturbing images embedded in the code.

I've lost so much as a result of this. So much work, so much data, music, pictures, videos, etc. It's impossible to know which files have been infected so I'm forced to start completely from scratch. If your network or device has been compromised, it's so easy for this to spread to all parts of your online life.

I'm still assessing the situation, trying to learn exactly how to spot signs, how to combat the problem and stay protected. But some of these viruses, spyware, malware are highly sophisticated and can go undetected for quite some time (which is the point).

 

[imroot]

ok so you have a snapdragon processor which means it can't be rooted at this point....well if anything it is not easy to gain root as you will need to unlock the bootloader first.

so anything malicious that would be on your phone would not lie in the system apps........so by flashing a firmware update everything will get wiped......so you should be good to go after that.

and you will just drive yourself nuts looking for something in the system files that might seem suspicious. a lot of them will have names that will seem odd and have suspicious names when in fact they are just system files.

Thanks so much for your help with this.

Some questions:

• Do I have to unlock bootloader when flashing the firmware? If so, is my warranty void? If so, is there a way around this?
  
• What bootloader security risks are associated with flashing the firmware? More specifically I guess my question would be - am I making it easier for others to unlock the bootloader by me personally flashing the firmware on my own? What steps to take to ensure this doesn't happen?
• If the laptop I'm currently using has possibly been compromised, what options do I have to save files for flashing? Let's assume all of my devices have been compromised, and my options to save files safely without the risk of corruption are extremely limited - are there cloud options to help achieve desired goal? Can this be done without a computer?

 

[ocnbrze]

no firmware updates will not mess around bootloaders. and you will not void any warranties. these are official firmware updates that are released by samsung. this is nothing like rooting which youo can't do on your phone anyways so do not worry about that.